Security update for unbound
Announcement ID: |
SUSE-SU-2024:1923-1 |
Rating: |
important |
References: |
|
Cross-References:
|
|
CVSS scores: |
-
CVE-2022-30698
(
SUSE
):
5.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
-
CVE-2022-30698
(
NVD
):
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
-
CVE-2022-30699
(
SUSE
):
5.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
-
CVE-2022-30699
(
NVD
):
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
-
CVE-2022-3204
(
SUSE
):
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-
CVE-2022-3204
(
NVD
):
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-
CVE-2023-50387
(
SUSE
):
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-
CVE-2023-50387
(
NVD
):
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-
CVE-2023-50868
(
SUSE
):
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
Affected Products: |
- Basesystem Module 15-SP6
- openSUSE Leap 15.6
- SUSE Linux Enterprise Desktop 15 SP6
- SUSE Linux Enterprise Real Time 15 SP6
- SUSE Linux Enterprise Server 15 SP6
- SUSE Linux Enterprise Server for SAP Applications 15 SP6
- SUSE Package Hub 15 15-SP6
|
An update that solves five vulnerabilities and contains one feature can now be installed.
Description:
This update for unbound fixes the following issues:
unbound was updated to 1.20.0:
- A lot of bugfixes and added features.
For a complete list take a look at the changelog located at:
/usr/share/doc/packages/unbound/Changelog or
https://www.nlnetlabs.nl/projects/unbound/download/
Some Noteworthy Changes:
- Removed DLV. The DLV has been decommisioned since unbound
1.5.4 and has been advised to stop using it since. The use of
dlv options displays a warning.
- Remove EDNS lame procedure, do not re-query without EDNS after
timeout.
- Add DNS over HTTPS
- libunbound has been upgraded to major version 8
Security Fixes:
* CVE-2023-50387: DNSSEC verification complexity can be
exploited to exhaust CPU resources and stall DNS resolvers. [bsc#1219823]
* CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU.
[bsc#1219826]
* CVE-2022-30698: Novel "ghost domain names" attack by
introducing subdomain delegations. [bsc#1202033]
* CVE-2022-30699: Novel "ghost domain names" attack by
updating almost expired delegation information. [bsc#1202031]
* CVE-2022-3204: NRDelegation attack leads to uncontrolled
resource consumption (Non-Responsive Delegation Attack). [bsc#1203643]
Packaging Changes:
- Use prefixes instead of sudo in unbound.service
- Remove no longer necessary BuildRequires: libfstrm-devel and
libprotobuf-c-devel
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
openSUSE Leap 15.6
zypper in -t patch SUSE-2024-1923=1 openSUSE-SLE-15.6-2024-1923=1
-
Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-1923=1
-
SUSE Package Hub 15 15-SP6
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-1923=1
Package List:
-
openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
- libunbound-devel-mini-debugsource-1.20.0-150600.23.3.1
- unbound-1.20.0-150600.23.3.1
- libunbound8-1.20.0-150600.23.3.1
- libunbound-devel-mini-debuginfo-1.20.0-150600.23.3.1
- libunbound8-debuginfo-1.20.0-150600.23.3.1
- unbound-anchor-debuginfo-1.20.0-150600.23.3.1
- unbound-debugsource-1.20.0-150600.23.3.1
- unbound-debuginfo-1.20.0-150600.23.3.1
- unbound-devel-1.20.0-150600.23.3.1
- unbound-python-1.20.0-150600.23.3.1
- unbound-anchor-1.20.0-150600.23.3.1
- unbound-python-debuginfo-1.20.0-150600.23.3.1
- libunbound-devel-mini-1.20.0-150600.23.3.1
-
openSUSE Leap 15.6 (noarch)
- unbound-munin-1.20.0-150600.23.3.1
-
Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
- unbound-debugsource-1.20.0-150600.23.3.1
- libunbound8-1.20.0-150600.23.3.1
- unbound-anchor-debuginfo-1.20.0-150600.23.3.1
- libunbound8-debuginfo-1.20.0-150600.23.3.1
- unbound-devel-1.20.0-150600.23.3.1
- unbound-debuginfo-1.20.0-150600.23.3.1
- unbound-anchor-1.20.0-150600.23.3.1
-
SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
- unbound-1.20.0-150600.23.3.1
- unbound-debugsource-1.20.0-150600.23.3.1
- unbound-python-1.20.0-150600.23.3.1
- unbound-debuginfo-1.20.0-150600.23.3.1
- unbound-python-debuginfo-1.20.0-150600.23.3.1
References: